I wrote this post to continue with the sysadmining series asked by Ardian.

Sometimes I need cron scripts to email me the result of something and configuring sendmail or postfix to do that seems a little like killing a mosquito with a bazooka (it works, but it’s not very efficient).

So, what I do is use msmtp.

msmtp is very easy to use and configure. Just write a config file for it (.msmtprc in your $HOME) and make it point to the GMail smtp server.
Something like this works:

That command would send an email to foo@bar.com with the subject “test” and the body “hello world”
The “Subject” and “To” fields are optional, but it’s nice to include them. The \n are new lines.

You can also make a text file and cat it and redirect the output with pipes.
More information for the email could be included, like the text encoding used, etc, but for the stuff I need to email, a subject and a body is usually more than enough.

Disclaimer: I don’t like using GMail (the default interface has a JavaScript trap, I don’t trust Google with my personal data, etc), but GMail (through Google Apps) is the mail server of choice at work. Using msmtp doesn’t mean you HAVE TO use GMail. I only put it as an example because it’s what we use at work. As a matter of fact, you’re better off NOT using GMail at all and using some other email provider that doesn’t spy on you and that respects your freedom.

Asked by my friend Ardian, I’m writing these tips for sysadmin-wannabes hoping that it will be useful.

Securing SSH

SSH is one of the best friends of any sysadmin (because everybody knows that sysadmins don’t have real friends). Because SSH is one of our true few friends, we need to make sure that it stays our friend and to do that we have to defend it.
Here are some ways to achieve that:

Security through obscurity

It is a general consensus that securing something through obscurity is not a good idea. Security through obscurity is not real security, but sometimes it helps stop annoying script kiddies. You can’t make your whole security scheme rely on people not knowing your secret, particularly when the secret is easily discovered.
I’m talking here about moving your SSH port to something different than 22 (which is the default port). It’s very easy to find out which ports are open in a server (you just need to use nmap), but there are people who don’t know that and have automated scripts constantly trying to gain access through that port. Usually higher ports is a good idea.
Just don’t rely on this as your only means of securing SSH.

Hello, Mr. John Doe

Don’t let users with very common usernames have SSH access. Particularly, don’t let root have SSH access. Other usernames that shouldn’t be allowed are admin, superadmin, backup, cron, etc. Automated attempts to gain access use dictionaries of common users, so it’s better if we don’t give them a chance to guess what users we have in the system.

Stop knocking at my door!

If we receive many failed login attempts from the same IP, then that person probably isn’t someone with a valid password. There are many ways to tell that person to get off: IPTables rules, fail2ban, denyhosts, etc. Some people may even prefer their own solutions, but having these available, that’s probably not necessary.
The idea is that if a user keeps trying to gain access to our server, we can lock them out for a certain period of time.

Leo@Vinci

Sometimes we have users that connect always from the same host. The host can then be specified in the sshd configuration file so that user can’t connect from anywhere else. In that way, we close the door to yet another possible intruder trying to spoof our user from some other location.

Password? What password?

Relying on passwords might not be a great idea because passwords can be weak (although that can be solved with PAM magic, which I may talk about at a different time). Generating SSH keys and disabling password authentication is usually a good idea. SSH keys are unique (unless you use certain versions of Debian…).

I told people at work (yes, I have a job now, more about that later… or maybe not) that I could make lemon pie. They know I’m all about free software, so they asked me if it was GPL lemon pie. I published this in our intranet (some of it is in Spanish, but even if you don’t speak a word of Spanish you can tell what’s going on):

Some time ago we started toying with the idea of porting our operating system to the new Lemote Yeelong
This computer is characterized by having a completely free hardware design and by not needing any nonfree software components to work.

Unlike other computers we know, it doesn’t use a processor made by the most known companies.
The Lemote company uses a processor developed completely in China, named Loongson. It has a MIPS architecture.

In UTUTO XS, we have had a tradition of development and advocacy of free software for more than 6 years. As the UTUTO project, we thought it would be important to support this hardware starting with version 2010. This would help the spreading of free software and also it would be another choice of operating system for the Lemote computers.

Richard Stallman talked to us about the possibility of getting some Lemote computers as a donation for this project and he put us in contact with the Lemote company in China.

A couple of days later Lemote sent us the Yeelong computers and thanked us for our intention of porting our operating system.

This initiative has the support of institutions that advocate free software and free knowledge.

This initiative is the beginning of the project that we internally codenamed “UTUTO XS Lemote”.
The idea is to have an XS system for these computers along with the corresponding updated package repository, just like with the versions for other processors

We think this is an important opportunity to learn and to face the challenge of creating a complete and functional system that would have the user at the core.

Here [0] you can see some pictures of the computers that we’ve got and also how we started the creation of the boot loader of the operating system and the compilation of a basic user system. For the time being we only have a text command line.

We thank all the people who support this project and we will keep you informed with the news on the development of “UTUTO XS Lemote”.

I have been meaning to write this blog post for a long time, but for some reason or another it always ended up as a draft. First of all, for those of you who still don’t know, I came to Kosovo for a free software conference [0] that will take place on August 29th and 30th at the University of Prishtina. I was invited to speak about two different topics which are translation with free software and basic Python. If you are in the area (or you are rich and feel like spending money on plane tickets) then I’d be really glad if you could join us here in Kosovo. Now, I came to Kosovo some time in advance to get to know the place and to help organize the conference. During my stay here I’ve had a great time visiting places like Mirushe [1]. People here are very nice and I was pleasantly surprised when the locals at Gjakova even helped me carry my bags when I got at the bus station and then took me to a place where I could phone my friend Heroid (who’s letting me stay at his house and I really thank him for that). To top it all, these nice gentlemen that carried my bags even paid for the phone call I made. Also, and I think this is something that I need to point out, Kosovar girls are extremely beautiful ;-) Nobody is as beautiful as my loving girlfriendfiancée wife!!! :D. So, this has been a great trip so far and, after all my US / Buenos Aires winters, I really welcome this European summer sun. You should also come to the free software conference in Prishtina; it’s definitely worth it.
[0] http://kosovasoftwarefreedom.org
[1] http://picasaweb.google.com/arianit/PrizrenMirushe

Photo blogs were (or are, who knows how long fads last) very popular in my country. They were so popular that photo blog users formed some kind of urban tribe and they gathered in a local shopping mall to do… nothing. I guess they took pictures… One thing’s for sure, they had very dubious fashion tastes. So my friend Marcolandia decided it was about time there was a free software solution for these poor and tormented souls: this article is not about floggers (short for photo blogger) but about this new GNU AGPLv3 photo blogging software.

I’m definitely not a flogger, but I had to try my friend’s software and I have to say that it’s really impressive. I could post a screenshot of my photoblog in my new photoblog, but I’m not up for recursion today. You can visit my photoblog or you can download the software and try it out: TontoFlog. (It will soon be uploaded as a savannah project)

It’s only in Spanish for now, but I’ll work on a translation as soon as Marcolandia puts the strings all together so TontoFlog stays modular.